Fix some issues 10

2026-01-26 07:57:18 +01:00
parent dc786eae2e
commit 6e60956613
3 changed files with 22 additions and 29 deletions
--- a/infrastructure/environments/common/configs/configmap.yaml
+++ b/infrastructure/environments/common/configs/configmap.yaml
@@ -176,9 +176,12 @@ data:
  # ================================================================
  # EMAIL CONFIGURATION
  # ================================================================
-  SMTP_HOST: "mailu-postfix.bakery-ia.svc.cluster.local"
+  # Use mailu-front port 25 for internal relay (no auth needed from trusted subnet)
+  # Mailu is configured with subnet: "10.1.0.0/16" which allows unauthenticated relay
+  # TLS is disabled because Mailu is configured with TLS_FLAVOR: "notls"
+  SMTP_HOST: "mailu-front.bakery-ia.svc.cluster.local"
  SMTP_PORT: "25"
-  SMTP_TLS: "true"
+  SMTP_TLS: "false"
  SMTP_SSL: "false"
  DEFAULT_FROM_EMAIL: "noreply@bakewise.ai"
  DEFAULT_FROM_NAME: "Bakery-Forecast"
--- a/infrastructure/platform/security/network-policies/allow-notification-to-mailu.yaml
+++ b/infrastructure/platform/security/network-policies/allow-notification-to-mailu.yaml
@@ -1,8 +1,9 @@
 # Network Policy to allow notification service to send emails via Mailu
-# This policy allows egress from notification-service to mailu-postfix on SMTP ports
+# This policy allows egress from notification-service to mailu-front on SMTP port 25
 #
-# NOTE: Postfix only listens on port 25 (and 10025 internally), NOT 587
-# Port 587 (submission) is handled by mailu-front which proxies to postfix
+# NOTE: Mailu is configured with TLS_FLAVOR: "notls" and subnet: "10.1.0.0/16"
+# This allows unauthenticated relay from trusted pod network on port 25
+# mailu-front (nginx) handles SMTP and proxies to postfix internally
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -19,19 +20,17 @@ spec:
  policyTypes:
    - Egress
  egress:
-    # Allow SMTP traffic to mailu-postfix (port 25)
+    # Allow SMTP traffic to mailu-front (port 25, no TLS)
    - to:
        - podSelector:
            matchLabels:
              app.kubernetes.io/instance: mailu
-              app.kubernetes.io/component: postfix
+              app.kubernetes.io/component: front
      ports:
        - port: 25
          protocol: TCP
-        - port: 10025
-          protocol: TCP
 ---
-# Allow ingress TO mailu-postfix FROM any pod in bakery-ia namespace
+# Allow ingress TO mailu-front FROM any pod in bakery-ia namespace
 # This is needed because mailu-allow-internal only allows traffic from mailu pods
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -46,7 +45,7 @@ spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/instance: mailu
-      app.kubernetes.io/component: postfix
+      app.kubernetes.io/component: front
  policyTypes:
    - Ingress
  ingress:
@@ -58,5 +57,3 @@ spec:
      ports:
        - port: 25
          protocol: TCP
-        - port: 10025
-          protocol: TCP